Puppet Agent’s Run Environment

User

By default, Puppet agent runs as the LocalSystem user. This lets it manage the configuration of the entire system, but prevents it from accessing files on UNC shares.

Puppet can also run as a different user. You can change the user in the Service Control Manager (SCM). To start the SCM, choose “Run…” from the Start menu and type Services.msc.

You can also specify a different user when installing Puppet. To do this, install via the command line and specify the required MSI properties (PUPPET_AGENT_ACCOUNT_USER, PUPPET_AGENT_ACCOUNT_PASSWORD, and PUPPET_AGENT_ACCOUNT_DOMAIN).

Puppet agent’s user can be a local or domain user. If this user isn’t already a local administrator, the Puppet installer will add it to the Administrators group. The installer will also grant Logon as Service to the user.

Ports

If you want to use a non-default port, you’ll have to change the masterport setting on all agent nodes, and ensure that you’ve changed your Puppet master’s port as well.

Logging

When running as a service, Puppet agent logs messages to the Windows Event Log. You can view its logs by browsing the Event Viewer. (Control Panel → System and Security → Administrative Tools → Event Viewer)

You can adjust how verbose the logs are with the log_level setting, which defaults to notice. Setting it to info is equivalent to running with the --verbose option, and setting it to debug is equivalent to --debug. You can also make logs quieter by dialing back to warning or lower.

When running in the foreground with the --verbose, --debug, or --test options, Puppet agent logs directly to the terminal.

When started with the --logdest <FILE> option, Puppet agent logs to the file specified by <FILE>.

Reporting

In addition to local logging, Puppet agent will submit a report to the Puppet master after each run. (This can be disabled by setting report = false in puppet.conf.)

In Puppet Enterprise, you can browse these reports in the PE console’s node pages, and you can analyze correlated events with the PE event inspector.

Managing Systems With Puppet Agent

In a normal Puppet site, every node should periodically do configuration runs, to revert unwanted changes and to pick up recent updates.

On Windows nodes, there are two main ways to do this:

Run Puppet agent as a service. The easiest method. The Puppet agent service will do configuration runs at a set interval, which can be configured.

Only run Puppet agent on demand. To trigger runs on groups of systems, you can use Puppet Enterprise’s built-in orchestration features.

Since the Windows version of the Puppet agent service is much simpler than the *nix version, there’s no real performance to be gained by running Puppet as a scheduled task. All users who want scheduled configuration runs should run the Windows service.

Running Puppet Agent as a Service

By default, the Puppet installer will configure Puppet agent to run as a Windows service and will automatically start it. No further action is needed. Puppet agent will do configuration runs at a set interval.

If you don’t need an aggressive schedule of configuration runs, a longer run interval will let your Puppet master server(s) handle many more agent nodes.

Once the run interval has been changed, the service will stick to the prior schedule for the next run and then switch to the new run interval for subsequent runs.

Configuring the Service Start Up Type

The Puppet agent service defaults to starting automatically. If you’d rather start it manually or disable it, you can configure this during installation. To do this, install via the command line and specify the PUPPET_AGENT_STARTUP_MODE MSI property.

You can also configure this after installation with the Service Control Manager (SCM). To start the SCM, choose “Run…” from the Start menu and type Services.msc.

You can also configure agent service with the sc.exe command. To prevent the service from starting on boot:

C:\>sc config puppet start= demand
[SC] ChangeServiceConfig SUCCESS

(Note that the space after start= is mandatory! Also note that this must be run in cmd.exe; this command won’t work from PowerShell.)

To restart the service:

C:\>sc stop puppet
C:\>sc start puppet

To change the arguments used when triggering a Puppet agent run (this example changes the level of detail that gets written to the Event Log):

C:\>sc start puppet --debug --logdest eventlog

Running Puppet Agent On Demand

Some sites prefer to only run Puppet agent on demand; others use scheduled runs, but occasionally need to do an on-demand run.

Puppet agent runs can be started locally (while logged in to the target system), or remotely via Puppet Enterprise’s orchestration tools.

While Logged in to the Target System

On Windows, you can start a configuration run with the “Run Puppet Agent” Start menu item. This will show the status of the run in a command prompt window.

You must be logged in as an administrator to do this. On Windows 7/2008 and later, Windows will ask for User Account Control confirmation when you start a configuration run:

Running Other Puppet Commands

If you want to run other Puppet-related commands, you must start a command prompt with administrative privileges. (You can do so with either the standard cmd.exe program, or the “Start Command Prompt with Puppet” Start menu item added by the Puppet installer.)

To do this, right-click the start menu item and choose “Run as administrator:”

This will ask for UAC confirmation:

Remotely

To run Puppet agent remotely on any number of systems, you should use Puppet Enterprise’s orchestration tools. For info, see the Puppet Enterprise manual page on triggering Puppet runs.

Open source Puppet users can install MCollective and the puppet agent plugin to get similar capabilities, but Puppet Labs doesn’t provide standalone MCollective packages for Windows.